Profiles | Names | Interfaces | Routing | Firewalls

Netcfg Firewall administration


Linux firewalls are controlled with the ipfwadm, ipchains or netfilter interface, depending on your system configuration and kernel version. The Firewalls page edits the firewall configuration file. The three interfaces are very similar.

Firewall rules are divided into three categories:

In most cases, the rules need to be symmetrical -- for instance, allowing request packets to go out to a remote web server only makes sense if the responses from that server are allowed to return.

The exception to this rule are the "SYN" packets which are used to initiate a new connection. For instance, even though packets using the http protocol are allowed in so that you can receive data from a remote web site, http packets requesting a new connection might be blocked, to prevent outsiders from connecting to internal web servers.

With ipchains and netfilter, additional user-defined rulesets may be created and referenced (or "chained") from other rulesets. Chains allow very complex firewalls to be created.

Each rule set consists of a list of rules which are compared to network packets and tested to see if they apply. The first rule to match the packet being tested determines what happens to that packet. The available dispositions are:

If no disposition is specified, the packet is logged but no action is taken; more rules will be tested to see what is to become of the packet.

In general, incoming connection requests should be severely restricted unless this system is a server, and even then only those ports which are actually needed should be enabled.

The output rules are usually set to be permissive unless you don't trust some of your users.

The forwarding rules should be set to deny all fowarding unless this system is going to be used as a router and/or a firewall.

Rule Specifications

Rules are matched to packets based on one or more of several criteria: The originating IP address, the destination IP address, the originating port, the destination port, the icmp type and/or the interface device.

Normally, only one or two criteria are used in any given rule. For example a rule might be used to deny all access to the system's smtp port, or perhaps limit access to the ftp port to certain IP addresses.

Descriptions of ports

Some of the most commonly-used ports are listed here. See the file /etc/services for a more complete (but not exhaustive) list.

13 -- Daytime

Host sends current date and time and terminates connection. This port is used for testing and to synchronize the system clocks within an organization.

20,21 -- Ftp

File Transfer Protocol; used to move files between systems.

FTP is a little tricky because it uses two ports. In a typical transaction, the client application initiates a connection over port 21 (ftp) and the server initiates the return connection over port 20 (ftp-data).

Allowing an outside system (the server) to initiate a connection is somewhat risky. One solution is to install ftp proxy software in your firewall system. Another is to restrict ftp access to "passive mode" in which the client system initiates both connections. Fortunately, most ftp software will work this way.

For more information, see the LINUX Network Administrators's Guide by Olaf Kirch & Terry Dawson, published by O'Reilly books.

22 -- SSH

Secure Shell; encrypted protocol which provides secure remote login and secure file transfer.

23 -- Telnet

Protocol which allows users on one system to log onto another. Obsoleted by ssh.

25 -- SMTP

Simple Mail Transfer Protocol. This is the protocol by which email is delivered to email servers.

A misconfigured smtp server can allow spammers to relay spam through your system, so enable this with care. Make sure your mail server software is configured to disallow forwarding.

67,68 -- Bootp

Boot Protocol. Used to allow client systems on a network to query for networking parameters. Server port (67) should only allow incoming connection requests if this system is to be a bootp server.

69 -- TFTP

Transparent File Transfer Protocol. This protocol is similar to ftp, but does not require authentication and creates a stateless connection. This protocol was used once to allow diskless workstations to download their root partitions from a server. Leave this disabled.

70 -- Gopher

Protocol used to fetch files from public servers. Obsoleted by the World Wide Web. Disable all incoming connection requests unless you're actually running a gopher server. Permit outgoing connection requests.

79 -- Finger

Used to discover information about users, such as when they were last logged in, when they last checked their email and the contents of their ".project" and ".plan" files.

Finger was written in more trusting times, but now it serves as a way for crackers to get information about your system's users. In addition, a bug in the finger daemon was exploited by the Morris Worm to gain access to systems.

Still, some special-purpose finger daemons exist. For instance, there are servers which will return a PGP key id if you finger something like "keyid@keyserver"

80 -- HTTP

HyperText Transport Protocol -- aka the World Wide Web.

109 -- Pop2

Post Office Protocol, version 2. Used to download email from POP servers.

110 -- Pop3

Post Office Protocol, version 3. Used to download email from POP servers.

111 -- SunRPC

Remote Procedure Call. A more advanced form of TCP/IP networking invented by Sun Microsystems. Allows programs on one system to effectively make subroutine calls to programs on another.

119 -- NNTP

Network News Transfer Protocol. Used to transfer usenet news. If you enable this, make sure your news server is properly configured to only accept news articles from authenticated peers. Otherwise, spammers will hijack your system.

123 -- NTP

Network Time protocol. A way for systems to get correct and accurate time.

110 -- IMAP

Internet Mail Access Protocol, version 2. A way for users to access email on a remote server.

194 -- irc

Internet Relay Chat.

443 -- https

HTTP, Secure. This is the secure version of the
http protocol.

512 -- exec

Allows execution of programs on remote systems.

513/tcp -- login

Unix remote login protocol. See
telnet for recomendations.

513/udp -- who

Used to ask for information about the users of a remote system. See
finger for recomendations.

514/tcp -- shell

Used to get a remote shell on another system. See
telnet for recomendations.

514/udp -- Syslog

System logs. Used to place entries in a unix system log.

515 -- printer

Remote printing under Unix.

517 -- talk

A very old and very simple chat program that allows two users on unix systems to communicate with each other.

520 -- route

Network routing information.

532 -- Netnews

nntp for recomendations.

533 -- Netwall

Network Write All. Used to transmit a message to every terminal on every system on a network.

540 -- UUCP

Unix-Unix Copy Program. A relic from a very old network. Just leave this disabled except in the unlikely event that you're actually running a UUCP site.

Descriptions of protocols

Linux firewalls can filter based on protocol type as well as the parameters listed above.

Many services are available with both the TCP and UDP protocols. See the file /etc/services for a list of common services, their ports, and their protocols.

The protocol types which may be selected are:


Transmision Control Protocol. This is the protocol which provides a reliable two-way serial connection between software running on two hosts. This is the protocol used by the majority of applications, such as web browsers and remote logins.


User Datagram Protocol. With this protocol, short messages ("datagrams") are sent from host to host. No attempt is made to ensure that packets arrive safely or in the correct order. This protocol is typically used by name servers, multiplayer computer games and other software which needs small bits of data quickly and which can tolerate or recover from missing data.


Internet Control Message Protocol. This protocol is used internally by networking software, mainly to transmit error messages and network routing information. ICMP message types are defined in RFC-1700 and in the header file /usr/include/netinet/ip_icmp.h